...
<Host name="ap.thalia-dev.mit.edu">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
and add the following and in the <Credentials xmlns="urn:mace:shibboleth:credentials:1.0"> block make sure the following exists:
<FileResolver Id="MITcreds">
<Key>
<Path>/home/www/ssl/private/thalia-dev.mit.edu-2008-08-04-key.pem</Path>
</Key>
<Certificate>
<Path>/home/www/ssl/certs/thalia-dev.mit.edu-2008-08-04-cert.pem</Path>
</Certificate>
<CAPath>
<Path>/home/www/ssl/certs/mitCA.pem</Path>
</CAPath>
</FileResolver>
The key is the server's private key. Certificate is the server's certificate. Make sure that your server certificate should be enabled for server use as well as client use. If not, request a new one. The ca is the CA that signs the client certificates.
7. to pass the HTTP_REMOTE_USER variable, make sure the following is in /home/www/sash-server/conf/consolidator.conf
JkEnvVar REMOTE_USER
JkEnvVar HTTP_REMOTE_USER
also in /home/www/sash-server/servers/thalia/conf/server.xml make sure the AJP connector is defined as follows:
<!- An AJP Connector - uncomment if needed ->
<Connector port="8901"
request.tomcatAuthentication="false" address="127.0.0.1"
protocol="AJP/1.3" />
8. restart the webserver: /etc/init.d/web restart
...